Bug 2280896

Summary: (null) value in /etc/environment breaks login and sudo after pam-1.6.1-1.fc40
Product: [Fedora] Fedora Reporter: mershl <mweires>
Component: pamAssignee: Iker Pedrosa <ipedrosa>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 40CC: besser82, ipedrosa, jayguerette, tm
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: pam-1.6.1-3.fc40 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-06-04 03:21:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
journalctl -b-1 -p4.log
none
core.gdm-session-wor.0.d656a95a49fe4092a70101009721298d.1372.1715895517000000.zst
none
core.login.0.43462dd94de54755ba15fa65fe71fac4.1448.1716488294000000.zst none

Description mershl 2024-05-16 21:56:22 UTC 
It affects my desktop system, but not my notebooks. Still looking into the possible difference.

gdm coredumps on every boot after pam-1.6.1-1.fc40:

see attachment

Reproducible: Always

Steps to Reproduce:
1.Update Silverblue 40 to deployment 40.20240514.0 or newer (including pam-1.6.1-1.fc40)
2.Reboot
Comment 1 mershl 2024-05-16 21:57:10 UTC 
Created attachment 2033622 [details]
journalctl -b-1 -p4.log
Comment 2 Iker Pedrosa 2024-05-17 07:41:03 UTC 
I can't reproduce it in my environment.

Can you share the coredump? I'd like to get additional information.
Comment 3 mershl 2024-05-17 09:51:26 UTC 
Created attachment 2033653 [details]
core.gdm-session-wor.0.d656a95a49fe4092a70101009721298d.1372.1715895517000000.zst

coredump attached
Comment 4 mershl 2024-05-23 18:24:34 UTC 
- booting with target level 3 reaches login, but login crashes. in this case /usr/bin/login coredumps.

coredump of /usr/bin/login attached below

any idea which files could influence this?
Comment 5 mershl 2024-05-23 18:25:14 UTC 
Created attachment 2034829 [details]
core.login.0.43462dd94de54755ba15fa65fe71fac4.1448.1716488294000000.zst
Comment 6 mershl 2024-05-24 01:16:28 UTC 
found the culprit as it was always segfaulting when trying to unescape env vars from /etc/environment

to reproduce:
1) set an env var of /etc/environment to a (null) value
       example: /etc/environment
                XMODIFIERS=
2) reboot
3) pam-1.6.1-1.fc40.x86_64 will segfault when trying to process /etc/environment

removing the line fixes the issue on next boot
Comment 7 Iker Pedrosa 2024-05-27 08:28:29 UTC 
Thanks for pointing me in the right direction. If I provide a test build that fixes this issue, would you be willing to test it?
Comment 8 mershl 2024-05-27 08:47:51 UTC 
Thank you Iker.

> would you be willing to test it?
Absolutely!
Comment 9 Iker Pedrosa 2024-05-27 10:47:51 UTC 
COPR build for testing purposes: https://copr.fedorainfracloud.org/coprs/ipedrosa/pam_env_fix/
Comment 10 mershl 2024-05-27 18:21:44 UTC 
Can confirm the test build fixes the issue.

Though

/etc/environment
  XMODIFIERS=

behaves different to before. While before it could be used to unset an env var via /etc/environment the line is ignored and has no effect on the logged in environment when using the test build. Is this expected behaviour?
Comment 11 Iker Pedrosa 2024-05-28 08:51:12 UTC 
I'm not completely sure because the documentation doesn't state anything in this regards. Can you try setting an empty string ""?
Comment 12 mershl 2024-05-29 17:27:38 UTC 
Just noticed during my testing: The issue is quite critical as it not only breaks login but also sudo.

To reproduce on pam-1.6.1-1.fc40:
sudo vi /etc/environment
   add XMODIFIERS=
:wq
sudo vi /etc/environment
[1]    3554 segmentation fault (core dumped)  sudo vi /etc/environment
Process 3514 (sudo) of user 1000 dumped core.
          Module pam_succeed_if.so from rpm pam-1.6.1-1.fc40.x86_64
          Module libpam_misc.so.0 from rpm pam-1.6.1-1.fc40.x86_64
          Module pam_systemd.so from rpm systemd-255.6-1.fc40.x86_64
          Module pam_limits.so from rpm pam-1.6.1-1.fc40.x86_64
          Module pam_keyinit.so from rpm pam-1.6.1-1.fc40.x86_64

Without recovery actions the system is stranded after that as /etc/environment becomes un-editable.
Comment 13 mershl 2024-05-29 18:54:11 UTC 
> Can you try setting an empty string ""?
(null) and empty string ("") do no longer have an effect on pam-1.6.1-2test.fc40.x86_64:

$ cat /etc/environment
XMODIFIERS=""
$ env | grep -i XMOD
XMODIFIERS=@im=ibus
Comment 14 Fedora Update System 2024-05-30 07:58:05 UTC 
FEDORA-2024-ec05ababc7 (pam-1.6.1-3.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-ec05ababc7
Comment 15 Iker Pedrosa 2024-05-30 08:24:56 UTC 
I've built and pushed the changes that fix the problem that make the system no longer usable.

Regarding the NULL assignment, this isn't clear for me so I've opened an upstream issue to check whether this is the correct behaviour or a regression: https://github.com/linux-pam/linux-pam/issues/802
Comment 16 Iker Pedrosa 2024-05-30 08:25:07 UTC 
*** Bug 2283058 has been marked as a duplicate of this bug. ***
Comment 17 Fedora Update System 2024-05-31 02:23:39 UTC 
FEDORA-2024-ec05ababc7 has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-ec05ababc7`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-ec05ababc7

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 18 Fedora Update System 2024-06-04 03:21:53 UTC 
FEDORA-2024-ec05ababc7 (pam-1.6.1-3.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.